Category Started On Completed On Duration Cuckoo Version
FILE 2016-11-06 21:46:54.150373 2016-11-06 21:49:53.790866 179 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
windowsxp1 windowsxp1 VirtualBox 2016-11-06 21:46:56 2016-11-06 21:49:53

File Details

File name billing_doc_60787.doc
File size 146432 bytes
File type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Title: , Author: Christian, Template: Normal.dot, Last Saved By: Windows, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Oct 26 12:25:00 2016, Last Saved Time/Date: Wed Oct 26 12:25:00 2016, Number of Pages: 1, Number of Words: 0, Number of Characters: 2, Security: 0
CRC32 4359A1BC
MD5 b107f3235057bb2b06283030be8f26e4
SHA1 b12d2984830eee5ef668032cc13691706efce4a5
SHA256 5d077b1341a6472f02aac89488976d4395a91ae4f23657b0344da74f4a560c8d
SHA512 b7cb31da8be04e044b3c8aadaf00555277fe990cbc42a81d718812b849be153ba6a87227d37374a6ea3cc3de2a204a749e9b643d8a7c1f39a29aa7beb913b3b8
Ssdeep 3072:cazJJgkkkkkkkkkXKOvO1Xe+ajS9GNZyFIo9IFBjfDS:V7gkkkkkkkkkXy1O+aj62ySo96jfDS
PEiD None matched
Yara None matched
VirusTotal Permalink
VirusTotal Scan Date: 2016-11-06 12:18:43
Detection Rate: 34/54 (Expand)

Signatures

No signatures matched

Screenshots

Static Analysis

Strings

Dropped Files

9ac371b5b84adb63_~wrs{d5f99d08-15a0-4713-b838-ea7627e7713e}.tmp

4826c0d860af884d_~wrs{3b7139b6-4ab2-481e-9253-be4edc065c9e}.tmp

b27b98df298e685e_~$normal.dotm

42433666cdf00c75_msforms.exd

Network Analysis

Nothing to display.

Behavior Summary

File-Written
  • C:\Documents and Settings\Administrator\Local Settings\Temp\VBE\MSForms.exd
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{3B7139B6-4AB2-481E-9253-BE4EDC065C9E}.tmp
  • C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\~$Normal.dotm
  • C:\Documents and Settings\Administrator\Local Settings\Temp\~$lling_doc_60787.doc
  • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.Word\~WRS{D5F99D08-15A0-4713-B838-EA7627E7713E}.tmp
  • \\?\PIPE\lsarpc
File-Opened
  • C:\
  • C:\Program Files\Microsoft Office\Office12\MSWORD.OLB
  • C:\WINDOWS\system32\spool\drivers\color\sRGB Color Space Profile.icm
  • C:\Documents and Settings\Administrator\Application Data\Microsoft\Office\Word12.pip
  • C:\Program Files\Microsoft Office\Office12\ID_00030.DPC
  • C:\Documents and Settings\Administrator\Application Data\Microsoft\
  • C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\OPA12.BAK
  • C:\WINDOWS\system32\FM20.DLL
  • C:\Documents and Settings\Administrator\Local Settings\Temp\billing_doc_60787.doc
  • C:\WINDOWS\system32\MSCTFIME.IME
  • C:\WINDOWS\system32\shell32.dll
  • C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6EXT.OLB
  • C:\Documents and Settings\Administrator\Local Settings\Temp\
  • C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Cultures\OFFICE.ODF
  • \\?\PIPE\lsarpc
  • C:\Documents and Settings\Administrator\Local Settings\Temp\VBE\
  • C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSO.DLL
  • C:\Documents and Settings\All Users\Documents\desktop.ini
  • C:\Program Files\Microsoft Office\Office12\
  • C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa12.dat
  • C:\Documents and Settings\Administrator\
  • C:\WINDOWS\system32\imm32.dll
  • C:\WINDOWS\system32\stdole2.tlb
  • C:\WINDOWS\system32\MSIMTF.dll
  • C:\WINDOWS\system32\
  • C:\Documents and Settings\
  • C:\Documents and Settings\Administrator\Local Settings\
  • C:\Documents and Settings\Administrator\Application Data\desktop.ini
  • C:\Program Files\
  • C:\Documents and Settings\Administrator\Local Settings\Temp\VBE\MSForms.exd
  • C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\Normal.dotm
  • C:\Documents and Settings\All Users\
  • C:\Documents and Settings\Administrator\Application Data\
  • C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\
  • C:\Program Files\Common Files\Microsoft Shared\VBA\VBA6\VBE6.DLL
  • C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll
  • C:\Documents and Settings\Administrator\My Documents\desktop.ini
  • C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Office\
  • C:\Documents and Settings\Administrator\Application Data\Microsoft\Forms\WINWORD.box

Processes

registry filesystem process services network synchronization

lsass.exe PID: 644, Parent PID: 588

WINWORD.EXE PID: 2024, Parent PID: 1684

Volatility

Nothing to display.